From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BBBFBC282CD
	for <linux-mm@archiver.kernel.org>; Mon,  3 Mar 2025 16:41:17 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4F8686B0092; Mon,  3 Mar 2025 11:41:17 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4A8896B0093; Mon,  3 Mar 2025 11:41:17 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 28BB36B0095; Mon,  3 Mar 2025 11:41:17 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id E198F6B0092
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 11:41:16 -0500 (EST)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id A85121C6F7D
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 16:41:16 +0000 (UTC)
X-FDA: 83180804952.07.15B08F6
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52])
	by imf12.hostedemail.com (Postfix) with ESMTP id 3023C40013
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 16:41:10 +0000 (UTC)
Authentication-Results: imf12.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=Df5Tfv+3;
	spf=pass (imf12.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1741020071;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=dvqnnQUXra5YEywZ0wX2Sp8a+P/AC2GWjQtYbvVteKU=;
	b=caRNrwxd6+UpkTMnZp74GkSM8KeQNh1uFpE3NZLr4xkf5xIk4RQdxjUzcbJIT9/2+asJCz
	T66CkxZtko1VqF4aLiS/FMH8z1nzFdPf0qzVn/xaagfOf+9SMZCaaHaxuRje87Zck6cb+V
	Haa2XClVPV367vYrHZcWktIEN1S/FMw=
ARC-Authentication-Results: i=1;
	imf12.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=Df5Tfv+3;
	spf=pass (imf12.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741020071; a=rsa-sha256;
	cv=none;
	b=6zSmF6l0432pFOtX4KKeCMdqFwz458SKftzsoviqlSFXsfw5llPuMIwxKliuDL3/ZsVUq1
	Q8+A0C2cy/Mhcnq0UgmfN9fdVXiaZh75t7UKjVTArhGwW/T+uCaF/3ajomj9vvBWyoOWqm
	NsqPqEQLJ4AtFcGR9m8mqV0nr2toBJo=
Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-5e4c0c12bccso8199221a12.1
        for <linux-mm@kvack.org>; Mon, 03 Mar 2025 08:41:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1741020069; x=1741624869; darn=kvack.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=dvqnnQUXra5YEywZ0wX2Sp8a+P/AC2GWjQtYbvVteKU=;
        b=Df5Tfv+31OGfLez0uJCQKPll2j6R/He09n5BxVnsimjX87/aES9eZ3foGdakCLanDz
         +Qonk82Klyh5sqqsagylsj0G+mH35vZ+sHzjajikd5IW/Y65ETVvJNc3acRSqV9SFlCQ
         yWLkf8mSAVHZNSzs5TJTYdbbwWAVzx7wUObNoHiWM+wVG2b2n9/qtIBEQRauoIL5B51g
         72Q/FcwVD4CkDJX4c+XrvWKnegud+tcDYIkva91M/8lR9TuH3UDxbfDBXARkpAxiGbq4
         zXOCAYKLnKETg3wVSQbzxCLjNA8w3kKwXjRkzdytq6tZcGl3LtgFTcSbMJVAJY7TBixT
         P1RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1741020069; x=1741624869;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dvqnnQUXra5YEywZ0wX2Sp8a+P/AC2GWjQtYbvVteKU=;
        b=DLsQraUfhLduhuqtBys9CWyOAwWjTrVT2KSirBp8Bs1SybNnCE2eXTiSoTOjkK1ZzQ
         4GZlsTw8w5AS2k7DlZ72/RxhxsHBkPe1OzM1viNU+PcACFlYRk1xPVwO5D6ytU/W/vQT
         tXJQoaRzedBS7U37CpnUOfaEVM8NxH/zkxLEeuUADFFRLE0eXnstwlWHo5DU0Y8OIJSl
         mVhcU+lFU6ihFxBvz+s0uJcRx9x5z0iIn+ozt8zyV13R/L7aSPkOoMrQuA3j5GDuNMBN
         +EYR5W9GGbfRyrUpMU66XS9WkzJVB9cQVUBpflMiMfz5C1PnG/0wrvD8vzTayvXE4275
         uK2w==
X-Forwarded-Encrypted: i=1; AJvYcCXfDYy9ZkySBGMA++Wo7Rja3Cni7G3Np5VDjnvhd0M2iKdHRkX8hSsnz0QgNEsSJxYsc5AQs9sdkg==@kvack.org
X-Gm-Message-State: AOJu0YzTtLs3ZLkLjmhfjzBfNbuCz3juIhW3tnjF0lKIUMOL2vX4wtYF
	+FdAO1aTpo88VjY3G0fIGZxbVndfiQZ4CvjO75a0Kl6oOa62+wD4
X-Gm-Gg: ASbGnctZiOxFR4DzwRMImhJe11RM7qaZN3grS2OJ82vhXT6Q/BpGRTgsypjEW5r4azQ
	W1zzp8jFbEs7Wbdct0s6P7rvGW81ni3I85QvRI/2OANedrHp8Sdo2NG2fVhOB0NP2NFHdUM8+m7
	FjZ9+vJKjk0TcTUkiDSLikVvJfNA6v7pAc9t49ulPt2Bv3Q2KIzfjBPpiSf+zKjDgTazWtSzkAJ
	2EBfaZQ0jYXdTGr7IxekyfCSSXbZktay0goFzde8j89Z4pTPCrBIdMHZkfer5tU3DTsrU+6zpWL
	u4Br8uCifC/Ny//8/NiR4hSjonRpQwsoiVeflG3WoPl0usxk
X-Google-Smtp-Source: AGHT+IHptwN4z1UitG3zPhGklcJYmkgc6L+Crp78KVNPE+rj94O41011bBx0yjydGTnZD57F2csRPA==
X-Received: by 2002:a05:6402:2789:b0:5e0:52df:d569 with SMTP id 4fb4d7f45d1cf-5e4d6b852d0mr13937191a12.28.1741020068864;
        Mon, 03 Mar 2025 08:41:08 -0800 (PST)
Received: from localhost ([2a02:587:860d:d0f9:2a79:b9e6:e503:40e9])
        by smtp.gmail.com with UTF8SMTPSA id 4fb4d7f45d1cf-5e4c3b6cfd0sm7053052a12.28.2025.03.03.08.41.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Mar 2025 08:41:08 -0800 (PST)
Date: Mon, 3 Mar 2025 18:41:06 +0200
From: Lilith Gkini <lilithpgkini@gmail.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>, Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, harry.yoo@oracle.com
Subject: Re: [PATCH] slub: Fix Off-By-One in the While condition in
 on_freelist()
Message-ID: <Z8XbomV9WCabATIM@Arch>
References: <Z8Sc4DEIVs-lDV1J@Arch>
 <b951acd4-5510-4d03-8f1e-accf38d909b6@suse.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b951acd4-5510-4d03-8f1e-accf38d909b6@suse.cz>
X-Stat-Signature: sni9w87ghczq4taercozbxeicbf3asog
X-Rspamd-Queue-Id: 3023C40013
X-Rspamd-Server: rspam06
X-Rspam-User: 
X-HE-Tag: 1741020070-49654
X-HE-Meta: U2FsdGVkX18AVtf6QrIB/0dtMTVneYwN4QXn3O7zGFFQwfHcV9nZ2uywzsumEzZWkmj8E3feOp6kWQVYBvvo2NQeOzfINNNe+8VO1ofINCtKrJRj8AbjGVmq86m4JvYeWN8sR2vNXMQ/EDoAgP0jDTpnrUptNLXym+lOMGfoeD8zZOp2Pi9f4EScGYWFUYAYj/RiNDmHjfyQqs63RHZpPOmsyFjzKSpMEg2meVRpmelL6tpElHuoFzlzPY4IG7Qnk2beLrgTuXN0aIEYnDbn0slzPdHYYFCt7Jsi7QL83dRHm+kucDGriPEwjne/z9gsPwKtppfH9N5PFQXq9K4/RbQoE6fptHYmXbfrHUSrSYoCEMJy738LX+t3tHNMlzFaL0j5TDK0Ak5+8Im+uIPkALMCMhCGkHrCHAsd6DOrO+kyviuOyOp/BhRjtWwz9cHYVY2sGCWF7vQ96owNUOBNaKTSKmUZ6BujeJBflr3NoeJr78/GGtUGFSO/v/SM9jnOT5958UF2NnTrw7rbMklMD4kzpP5k4hEkxP9oUjY+CCn22MQDTjFzqyKBLk4oxZwzw+cYkgD455x26WjLwvVSa1bFM54dCeZ/00spDcG0iGpFHT91sbx5YfGEOnAGxr8LP2GfTisgst6Jeae9YeVQqMFK5BVjj61tmof2nKobI5pnLpmVYt9+lsnDqwjOt9PdiCOgQU20V/Xc743G3GasSQCHydmLSk/AxBX7Sq6eSia7Phv7pzC+jfDTkTN9FpkSuhROOzz8illYUnXh7mSJu24qDW5OaK0qBfRUTRNazDBnZ8euX0LJm3OJtDNocUxshiVlX6GWDaAVCpk3JmXY2NAt0YqZQQUHNZrj4lHs/xDpbI59am9raxVkBrg+VVizTB7+aZjmo105JcRui5phBJByQhhzDX8MBm7MZOoNvHqrgAtitZW1z7L/clrf3BOgZb4l5PeLecXT6L89iax
 e5XZMJw4
 Qpmhv5bP6nRiaRaHkmGenTHGYVuysLdP0KsZVUogrePssoBKNTo4fuCDBfkRvcQX03f1yoDk3NKOLEYqaeFKe/Flyz7pSrKFTPF+z0a9F40qa87M/SzjORsYuuFI+c84BTktYlWGyHEwczjCLHomuf4v+ITcW44POf4JcU0akjvZH5IWF1jFqEgN6/D7Ho8gLVXz/VoDARKbt31oFAC1hDsAMvoUe9JgUyRWA1pn1OtoeYqfnAyvo1LVN5YA/v7jR4tX94L4lrVRZ5mjkrsytBqcFj3VRZqlKvmSy3dMJsnBTn4lHOAi+M8B+EjwCQ62+7S/JrfFheMfmNIUArHbnqVENcC+gDxVr4XONYOEZDvgA3ZwJ96+o5jIcWX0NFCOu3kpoU0tXXnGvzNtskUtWbTVSj7k4DG5gpo+xAFMO6ZtheLlAlIX17mOt4/0JvmGOd12ZWr48jWO7f3C9LP1Gyey1IXBk39qlLme+YBy67KgX6lh0JqsHZ71HnLWiH8tLC0ZQcao2vU2z963fHVQszrLJVQZ4a6FneI+M1D6Vu7OPKts0OV7BXFJjcAk4etYhRWM7MzWYb2HGMeGvIkLcAJqIiyjYcO1zN3aeHBCz9LvD/XrHY2MeBq2Utw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000004, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Mar 03, 2025 at 12:06:58PM +0100, Vlastimil Babka wrote:
> On 3/2/25 19:01, Lilith Persefoni Gkini wrote:
> > If the `search` pattern is not found in the freelist then the function
> > should return `fp == search` where fp is the last freepointer from the
> > while loop.
> > 
> > If the caller of the function was searching for NULL and the freelist is
> > valid it should return True (1), otherwise False (0).
> 
> This suggests we should change the function return value to bool :)
> 

Alright, If you want to be more technical it's
`1 (true), otherwise 0 (false).`
Its just easier to communicate with the true or false concepts, but in C
we usually don't use bools cause its just 1s or 0s.

> I think there's a problem that none of this will fix or even report the
> situation properly. Even worse we'll set slab->inuse to 0 and thus pretend
> all objects are free. This goes contrary to the other places that respond to
> slab corruption by setting all objects to used and trying not to touch the
> slab again at all.
> 
> So I think after the while loop we could determine there was a cycle if (nr
> == slab->objects && fp != NULL), right? In that case we could perform the
> same report and fix as in the "Freepointer corrupt" case?

True! We could either add an if check after the while as you said to
replicate the "Freepointer corrupt" behavior...
Or...

I hate to say it, or we could leave the while condition with the equal
sign intact, as it was, and change that `if` check from
`if (!check_valid_pointer(s, slab, fp)) {`
to
`if (!check_valid_pointer(s, slab, fp) || nr == slab->objects) {`

When it reaches nr == slab->objects and we are still in the while loop
it means that fp != NULL and therefore the freelist is corrupted (note
that nr starts from 0).

This would add fewer lines of code and there won't be any repeating
code.
It will enter in the "Freechain corrupt" branch and set the tail of 
the freelist to NULL, inform us of the error and it won't get a chance
to do the nr++ part, leaving nr == slab->objects in that particular 
case, because it breaks of the loop afterwards.

But it will not Null-out the freelist and set inuse to objects like you
suggested. If that is the desired behavior instead then we could do
something like you suggested.